By Ryan Singel
The Mac has officially gone mainstream.
The proof? On Halloween, professional online criminals were found using
Trojan-horse software to target, for the first time, computers running
Apple's OS X operating system -- just as they have been doing for years
on the more ubiquitous flavors of Windows.
"Apple's day has finally come, and Apple users are going to get hit
hard," security researcher Gadi Evron said. "OS X is the new Windows
The Trojan comes disguised as a video-decoding plug-in that users are
told they must install to watch free porn clips. Instead, the software
burrows into the operating system and diverts some of the victim's
future web surfing to sites under the attacker's control. It's the
professional attack on Macs that the security community has long
predicted, according to Dave Marcus, security research manager at
McAfee's Avert Lab, who said it was "written by people who know how to
The arrival of the Mac Trojan signals that cybercrooks have decided
there are finally enough Apple systems on the internet to make attacking
them profitable, according to security experts. Apple is the nation's
No. 3 desktop and laptop seller in the United States, behind Dell and
Hewlett Packard. And this year, the Cupertino company accounted for an
impressive 8.1 percent of the personal-computer market for the third
quarter, up nearly two percentage points from the same period a year
ago. Evron and other observers predict that black hats will have a field
day with Macs, as well as with Apple's new mobile platforms.
"With 2 million iPhones and iPod Touches, it makes sense they will think
of them as an evolving market to exploit, and there are a lot of new Mac
users who aren't as savvy as Mac's earlier users," said CEO Alex
Eckelberry of Sunbelt Software, which sells security software for
But Carl Howe, an Apple analyst at Blackfriars Communications, disputes
the security researchers' theories. He thinks that OS X's Linux heritage
makes Apple systems less vulnerable to attack than Windows-based
platforms. He argues that even if hacking Macs hasn't been profitable in
the past, attackers would have done it anyway if they'd been able --
just for the attention.
"I think the market-share thing has always been a myth," Howe said.
"It's a good story to talk about."
Announced Wednesday by Mac-focused security company Intego, the Mac
Trojan was found on a set of pornography sites, where attackers dangled
free movies that supposedly required users to install a special
Quicktime codec to view.
The codec, however, is fake. Instead of unlocking a skin flick, it
installs what Intego dubbed the OSX.RSPlug.A Trojan horse on the user's
Black-hat hackers have been using fake codecs for more than a year to
trick Windows users into installing software. In this case, when the
site serving the malware determines that a user is on a Mac, it delivers
a Mac-specific version.
Once installed, the Trojan hijacks the system's domain-name service.
Internet-connected applications use DNS to translate the domain part of
an URL, such as www.Wired.com, into the numeric IP address of a server.
By hijacking the DNS, the attacker is able to replace search results
with links to sites that he controls, in hopes of making money from
online purchases, according to Eckelberry.
The software could also intercept intended visits to sites such as
banks, eBay and PayPal and redirect them to fake websites that harvest
users' logins and passwords. The scammers could then use that info to to
get money out of the real sites, but neither Sunbelt nor McAfee
researchers have seen the malware harvesting personal-finance info.
Unlike many Windows-based attacks, the Trojan doesn't exploit a hole in
Apple's software, and it can't install itself. Instead, it relies on
social engineering, tricking users into downloading the codec, and
requiring that they type in the administrator password to install it.
But the fact that the hackers aren't attacking through software bugs
doesn't change the portent of this week's attack, according to
Eckelberry. "I don't care if you have to type in your admin password,"
Eckelberry said. "If you are asked to install a QuickTime plug-in, you
For the past year, fake codecs have been among the top problems
encountered by Windows users, according to Eckelberry. The attacks have
gotten so professional-looking that the fake codecs even have fake,
annoying end-license-user agreements that users have to agree to.
The Mac Trojan is created by the same malware crew that has been
infecting Windows machines with the Trojans known as Zlob and
DNSChanger, according to Eckelberry and Marcus.
Marcus said McAfee researchers have already found the Mac Trojan on 65
websites. But he said the malware is not living up to its full
potential: It only redirects users who attempt to visit one obscure
"Truthfully, this is kind of strange," said Marcus. "If you are going to
mess with someone's DNS, I would have done far more fake DNS entries. I
have a sneaking suspicion is that word got out before they wanted it to,
but that's just an educated guess."
Evron sees more problems for Apple users than just new Trojans that try
to trick users. Hackers will find it profitable and all too easy to find
holes in Apple software, because the company hasn't paid sufficient
attention to security, said Evron.
He predicts Apple will experience a full-range of attacks, just as
Microsoft did a decade ago when Windows machines and the internet first
"It's Mac season. The next two years will be interesting."
Staff writer David Kravets contributed to this story.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com